b'OFFICE OF INSPECTOR GENERAL\n                  Audit Report\n\n  Review of the Railroad Retirement Board\xe2\x80\x99s\n    Security Patch Management Process\n\n\n     This abstract summarizes the results of the subject audit. The\n     full report includes information protected from disclosure and\n     has been designated for limited distribution pursuant to\n     5 U.S.C. \xc2\xa7 552\n\n\n\n\n                     Report No. 11-08\n                       July 7, 2011\n\n\n\n\n RAILROAD RETIREMENT BOARD\n\x0c                              REPORT ABSTRACT\n Review of the Railroad Retirement Board\xe2\x80\x99s Security Patch Management Process\n\n\nThe Office of Inspector General of the Railroad Retirement Board (RRB) conducted an\naudit to determine whether the RRB\xe2\x80\x99s patch management policies, procedures and\npractices are in compliance with the Federal Information Security Management Act of\n2002 (FISMA) requirements and if the security controls over patch management are in\nplace and operating as intended.\n\nFISMA requires agencies to establish and maintain a security management program\nthat includes timely and secure installation of software patches. Patch management is\na security practice designed to prevent the exploitation of information technology (IT)\nvulnerabilities that exist within an organization. Patches are additional pieces of code\ndeveloped to address security flaws and problems in software. Timely installation of\nsecurity patches is generally recognized as critical to maintaining the operational\navailability, confidentiality, and integrity of IT systems.\n\nIn a separately issued Restricted Distribution report, we communicated that the RRB\xe2\x80\x99s\nsecurity patch management policies, procedures and practices comply with FISMA\nrequirements. However, while security controls over patch management are in place,\nthey are not fully effective or operating as intended. We made 13 detailed\nrecommendations to RRB management for improvement in:\n\n      procedures for the remediation of identified vulnerabilities;\n      standards for timely resolution of remediation requests;\n      vulnerability scanning procedures for PCs and servers;\n      third-party software security updates;\n      monthly server patching process;\n      security patch management process performance reports;\n      notification of mainframe computer updates; and\n      information security policies and procedures.\n\nAgency Management has agreed to take corrective actions for all recommendations.\n\x0c'